Khalid Aziz <khalid.aziz@xxxxxxxxxx> writes: > I am continuing to build on the work Juerg, Tycho and Julian have done > on XPFO. Awesome! > A rogue process can launch a ret2dir attack only from a CPU that has > dual mapping for its pages in physmap in its TLB. We can hence defer > TLB flush on a CPU until a process that would have caused a TLB flush > is scheduled on that CPU. Assuming the attacker already has the ability to execute arbitrary code in userspace, they can just create a second process and thus avoid the TLB flush. Am I getting this wrong? Julian
